Security policy
Security policy
1. PURPOSE
ILUMINACIONES XIMÉNEZ, S.A.U. (hereinafter Iluminaciones Ximénez) considers information an essential asset for the proper performance of its functions. A large part of the information contained in the information systems of public and private entities, as well as the services they provide, constitute strategic national assets. The information and the services provided are subject to threats and risks stemming from malicious or unlawful actions, errors or failures, and accidents or disasters.
In its commitment to ensuring that the services available to users through electronic means are provided under maximum security conditions, Iluminaciones Ximénez develops and approves this Information Security Policy, applying the minimum security measures required by the National Security Framework (ENS) in relation to:
A. Organization and implementation of the security process.
B. Risk analysis and management.
C. Personnel management.
D. Professionalism.
E. Access authorization and control.
F. Protection of facilities.
G. Procurement of security products and contracting of security services.
H. Least privilege.
I. System integrity and updating.
J. Protection of stored and transmitted information.
K. Prevention regarding interconnected information systems.
L. Activity logging and detection of harmful code.
M. Security incidents.
N. Business continuity.
O. Continuous improvement of the security process.
The different areas must ensure that information security is a vital part of the services provided by Iluminaciones Ximénez and must safeguard such information throughout its entire life cycle (collection, transport, processing, storage, and destruction). The areas must be prepared to prevent, detect, react to, and recover from incidents, thus ensuring continuity in the provision of services with appropriate quality and security.
This Information Security Policy ensures a clear commitment by senior management to disseminate, consolidate, and enforce this Policy.
2. SCOPE
This Information Security Policy applies to all areas, services, and internal and external employees of Iluminaciones Ximénez, regardless of their hierarchical classification. It also applies to all information systems and communication infrastructures used for Iluminaciones Ximénez’s functions.
With this Information Security Policy, the organization demonstrates its commitment to establishing, implementing, maintaining, and continuously improving a security management system in accordance with the principles set out in Article 5 of Royal Decree 311/2022. These are:
• Understanding security as a comprehensive process.
• Managing security based on risks.
• Continuously monitoring and supervising security events to ensure prevention, detection, response, and preservation.
• Establishing defenses.
• Periodically assessing the security status.
• Clearly differentiating responsibilities.
3. MISSION AND OBJECTIVES
Iluminaciones Ximénez, in its commitment to fulfilling its assigned interests, functions, and responsibilities, provides users with the necessary services and activities to meet the expectations and interests of the entity, its users, and its clients. To strengthen its mission, Iluminaciones Ximénez uses appropriate technologies and enhances its electronic relationship with users and clients, creating the trust required through a comprehensive information security system that extends throughout the entire organization.
These systems aim to guarantee the quality of information and the continuous delivery of services by acting preventively, supervising daily activities, and responding promptly to incidents. To this end, the following general objectives related to information security are established:
1. To have the necessary control measures in place to comply with applicable legal requirements arising from its activity, especially those relating to the protection of personal data and the provision of services through electronic means.
2. To ensure access, integrity, confidentiality, availability, authenticity, and traceability of information, as well as the continuous delivery of services, acting preventively, supervising daily activities, and responding quickly to incidents.
3. To protect the entity’s information assets and the technology used to process them from internal or external threats, whether intentional or accidental.
4. To build user trust by protecting their information throughout its entire life cycle.
5. To facilitate the continuous improvement of security processes, procedures, products, and services.
6. To ensure business continuity by establishing contingency plans for critical services and maintaining security at all times.
7. To raise awareness among, train, and motivate personnel regarding the importance of security in the workplace.
4. REGULATORY FRAMEWORK
The regulatory basis governing the activities and responsibilities of Iluminaciones Ximénez, and which requires the explicit implementation of security measures in information systems, is mainly established by the following legislation:
• Royal Decree 311/2022, of 3 May, regulating the National Security Framework (ENS).
• Organic Law 3/2018, of 5 December, on Personal Data Protection and Guarantee of Digital Rights.
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC (General Data Protection Regulation, GDPR).
The remaining national and regional regulations affecting Iluminaciones Ximénez’s services, information security, and the protection of personal data also form part of the regulatory framework.
Maintaining this entire regulatory framework will be the responsibility of Iluminaciones Ximénez’s Information Security Officer or their designee, and it will be kept as an annex in the media and/or formats determined by the Security Committee. Mandatory security technical instructions will also be included. Likewise, the Security Officer will ensure that the applicable CCN (National Cryptologic Centre) security guidelines are identified to improve compliance with the ENS.
5. SECURITY ORGANIZATION
To proactively manage and coordinate information security, the INFORMATION SECURITY COMMITTEE is established as the security management body.
This Committee is composed of the following roles:
a. INFORMATION OWNER
They will determine the requirements of the information processed.
They hold ultimate responsibility for the use and protection of specific information. They will advise and have authority to define the security requirements of information and services. They will also determine information security levels.
Furthermore, they will report on the security status within the area of information and communication systems and may convene meetings and send communications to Committee members.
b. SERVICE OWNER
They will determine the requirements of the services provided.
This person (or persons) is responsible for the operation of various areas of the entity, establishing requirements, objectives, and means for performing tasks. They will determine the security requirements of the services provided, including security levels, and may seek advice from the Security Officer and System Owner.
They will include security specifications within the service and system life cycle and assess the consequences of negative impacts on service security.
They must ensure compliance with security regulations within their area and inform the Information Owner about compliance with the security regulations approved by the Committee.
c. SECURITY OFFICER
They will determine the decisions necessary to meet information and service security requirements, oversee the implementation of necessary measures, and report on these matters.
Designated by management, this person ensures compliance with this Information Security Policy and promotes training and awareness.
If needed, Delegated Security Officers may be appointed, though responsibility cannot be delegated.
Their functions include, among others:
• Coordinating and controlling measures defined in the Record of Processing Activities and ensuring compliance with the data protection impact assessment.
• Reporting directly to the Information Security Committee.
• Possibly acting as the Committee’s Secretary.
• Collecting security requirements and categorizing the system.
• Conducting risk analyses.
• Preparing the Statement of Applicability based on ENS Annex II and the risk analysis.
• Informing stakeholders about expected residual risks.
• Coordinating the development of system security documentation.
• Contributing to the drafting and approval of the Information Security Policy and documentation.
• Preparing Operating Security Procedures, training plans, continuity plans, and improvement plans.
• Analyzing incidents and proposing safeguards.
• Approving system life cycle security directives.
The Security Officer must be different from the System Owner; if not possible, compensatory measures must be applied.
If the security function is outsourced, the service provider must designate a POC (Point of Contact).
d. SYSTEM OWNER
Responsible for implementing security in the system and supervising its daily operation, delegating tasks where appropriate.
Their duties include:
a. Developing, operating, and maintaining the information system throughout its life cycle.
b. Defining system topology and management.
c. Ensuring security measures are properly integrated.
d. Possibly suspending service in case of serious security deficiencies, with agreement from relevant roles.
e. Applying operational security procedures.
f. Monitoring and reporting the security status.
g. Conducting continuity plan tests.
h. Preparing system life cycle security directives.
Delegated System Owners may be appointed when necessary.
f. COMMITTEE SECRETARY
Responsible for recording meeting minutes. This role is performed by the Security Officer.
g. DATA PROTECTION OFFICER (DPO)
Ensures and advises on compliance regarding data subjects’ rights.
Appointment
Committee members are appointed by management. Roles are reviewed every three years or upon vacancy.
The Committee resolves conflicts between roles, elevating unresolved matters to management.
5.1 COMMITTEE FUNCTIONS
The Committee’s functions include:
• Responsibilities related to personal data processing.
• Addressing entity-wide security concerns.
• Reporting regularly to management.
• Promoting continuous improvement.
• Defining security strategy.
• Coordinating departmental efforts.
• Drafting and revising the Security Policy.
• Approving security regulations.
• Periodically assessing risks and establishing security measures.
• Defining training requirements.
• Monitoring residual risks and incident management.
• Promoting periodic audits.
• Prioritizing actions with limited resources.
• Approving security improvement plans.
• Ensuring security is integrated into all ICT projects.
• Establishing awareness and training measures.
• Resolving conflicts of responsibility.
• Approving the Security Improvement Plan after incidents.
The Committee is not a technical body but may seek expert advice and form working groups or request external support.
6. DEVELOPMENT OF THE INFORMATION SECURITY POLICY
The Committee has approved the development of a management system aligned with security standards and ENS controls.
This system will be documented and evidence-based, supported by a document management procedure.
Documentation will be accessible to personnel, suppliers, and subcontractors as required.
7. AWARENESS
Iluminaciones Ximénez will establish mechanisms, based on Committee proposals, to ensure all personnel receive adequate information, training, and awareness regarding security and privacy.
All personnel must know and comply with this Policy and its associated procedures.
The Committee and HR will ensure proper dissemination.
8. RISK MANAGEMENT
Iluminaciones Ximénez will periodically, and whenever significant system changes occur, carry out a Risk Analysis in accordance with ENS Article 6.
The Committee will review results and establish safeguards to maintain acceptable risk levels.
A risk analysis procedure will define acceptable values, residual risk criteria, periodicity, and exceptional cases.
Risk analysis will also specifically address personal data processing.
9. PERSONAL DATA PROTECTION
Iluminaciones Ximénez will only collect personal data that is adequate, relevant, and not excessive for its intended purpose. It will implement the necessary technical and organizational measures to comply with data protection law.
These measures correspond to those described in the ENS, as required by Law 3/2018.
10. THIRD PARTIES
When Iluminaciones Ximénez provides services to or handles information belonging to other entities, they will be informed of this Policy. Coordination channels and incident response procedures will be established, and a POC will be designated.
When third-party services are used, providers will be made aware of this Policy and relevant Security Regulations, and ENS compliance will be required.
Cloud asset acquisition will follow ENS Annex II and development guidance.
Third parties are subject to these obligations and must allow supervision or audits.
If personal data is involved, incidents must also be routed through the DPO.
Third-party personnel must be adequately trained in security.
If a third party cannot meet any requirement, the Security Officer will issue a risk report requiring approval before contracting.
When acquiring or implementing Artificial Intelligence systems, a report from the Security Officer will be required, with input from relevant roles and the DPO.
11. SECURITY INCIDENT MANAGEMENT
The entity will have a procedure for agile management of security events and incidents, integrated with other relevant procedures (e.g., data protection).
Notifications to supervisory authorities and law enforcement will be made without undue delay when applicable.
12. APPROVAL AND REVIEW OF THIS SECURITY POLICY
This policy reflects Iluminaciones Ximénez’s commitment to information security and may be modified by proposal of the Security Committee due to legislative, technical, or organizational changes.
Initial approval and subsequent revisions will be carried out by management.
The policy will be reviewed at least annually or when circumstances require it.
Puente Genil, 4 November 2025